A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18521  by EP_X0FF
 Thu Mar 14, 2013 6:57 am
Blaze wrote:All files gathered as mentioned in blogpost (+ today's files) attached.

Payload: xydyswylmylh.exe
MD5: 22f3c0fd2a5d9e1799699097836bb5dc
Unpacked Cutwail in attach.
Attachments
pass: malware
(26.11 KiB) Downloaded 74 times
 #18595  by Squirl
 Tue Mar 19, 2013 4:12 pm
Spam campaign serving up Blackhole.
http://www.symantec.com/connect/blogs/p ... ds-malware

URLs used in the campaign:
hxxp://aven-clan.net76.net/popesued.html
hxxp://daewoo.maglan.ru/popesued.html
hxxp://7887.ru/popesued.html
hxxp://dota-soul.ru/popesued.html

All samples currently redirect to:
hxxp://webpageparking.net/kill/borrowing_feeding_gather-interesting.php

Domain hosted at the following IPs:

webpageparking.net 24.111.157.113 (Grand Forks, ND, US)
webpageparking.net 109.74.61.59 ()
webpageparking.net 58.26.233.175 (Kuala Lumpur, 14, MY)
webpageparking.net 155.239.247.247 (Parow, 11, ZA)
Associated bad domains:

buxarsurf.net
buyersusaremote.net
cyberage-poker.net
fenvid.com
gatovskiedelishki.ru
heavygear.net
hotels-guru.net
openhouseexpert.net
picturesofdeath.net
plussestotally.biz
porftechasgorupd.ru
sawlexmicroupdates.ru
secureaction120.com
secureaction150.com
teenlocal.net

Payload:

Exploits CVE-2013-0431 – abuses findClass method from com.sun.jmx.mbeanserver.MBeanInstatiator (actual exploit occurs in test2.class)

5/45 https://www.virustotal.com/en/file/fd40 ... /analysis/

Server-side poly Zbot
Attachments
infected
(118.32 KiB) Downloaded 93 times
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7